diff options
author | Peter Maydell <peter.maydell@linaro.org> | 2016-07-04 16:28:58 +0100 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2016-07-04 16:28:58 +0100 |
commit | 0d7e96c9b505b2afb1db08732c3a87288ccbbdd3 (patch) | |
tree | 8b21c01b4c06af0c29ada192d69da84cf3c1c33f | |
parent | 3173a1fd549b7fa0f7029b2c6a6b86ba6efa92aa (diff) | |
parent | a1c5e949ddc3234dcb85a44b9cb9312cd9f3522f (diff) |
Merge remote-tracking branch 'remotes/berrange/tags/pull-qcrypto-2016-07-04-1' into staging
Merge qcrypto 2016/07/04 v1
# gpg: Signature made Mon 04 Jul 2016 15:54:26 BST
# gpg: using RSA key 0xBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>"
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>"
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* remotes/berrange/tags/pull-qcrypto-2016-07-04-1:
crypto: allow default TLS priority to be chosen at build time
crypto: add support for TLS priority string override
crypto: implement sha224, sha384, sha512 and ripemd160 hashes
crypto: switch hash code to use nettle/gcrypt directly
crypto: rename OUT to out in xts test to avoid clash on MinGW
crypto: fix handling of iv generator hash defaults
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-rwxr-xr-x | configure | 20 | ||||
-rw-r--r-- | crypto/Makefile.objs | 3 | ||||
-rw-r--r-- | crypto/block-luks.c | 21 | ||||
-rw-r--r-- | crypto/hash-gcrypt.c | 110 | ||||
-rw-r--r-- | crypto/hash-nettle.c | 155 | ||||
-rw-r--r-- | crypto/hash-stub.c | 41 | ||||
-rw-r--r-- | crypto/hash.c | 109 | ||||
-rw-r--r-- | crypto/tlscreds.c | 26 | ||||
-rw-r--r-- | crypto/tlssession.c | 26 | ||||
-rw-r--r-- | include/crypto/tlscreds.h | 1 | ||||
-rw-r--r-- | qapi/crypto.json | 6 | ||||
-rw-r--r-- | tests/Makefile.include | 2 | ||||
-rwxr-xr-x | tests/qemu-iotests/149 | 12 | ||||
-rw-r--r-- | tests/qemu-iotests/149.out | 240 | ||||
-rw-r--r-- | tests/test-crypto-hash.c | 53 | ||||
-rw-r--r-- | tests/test-crypto-xts.c | 18 |
16 files changed, 704 insertions, 139 deletions
@@ -305,8 +305,8 @@ archipelago="no" gtk="" gtkabi="" gtk_gl="no" +tls_priority="NORMAL" gnutls="" -gnutls_hash="" gnutls_rnd="" nettle="" nettle_kdf="no" @@ -1097,6 +1097,8 @@ for opt do ;; --enable-gtk) gtk="yes" ;; + --tls-priority=*) tls_priority="$optarg" + ;; --disable-gnutls) gnutls="no" ;; --enable-gnutls) gnutls="yes" @@ -1308,6 +1310,7 @@ Advanced options (experts only): --disable-blobs disable installing provided firmware blobs --with-vss-sdk=SDK-path enable Windows VSS support in QEMU Guest Agent --with-win-sdk=SDK-path path to Windows Platform SDK (to build VSS .tlb) + --tls-priority default TLS protocol/cipher priority string Optional features, enabled with --enable-FEATURE and disabled with --disable-FEATURE, default is enabled if available: @@ -2218,13 +2221,6 @@ if test "$gnutls" != "no"; then QEMU_CFLAGS="$QEMU_CFLAGS $gnutls_cflags" gnutls="yes" - # gnutls_hash_init requires >= 2.9.10 - if $pkg_config --exists "gnutls >= 2.9.10"; then - gnutls_hash="yes" - else - gnutls_hash="no" - fi - # gnutls_rnd requires >= 2.11.0 if $pkg_config --exists "gnutls >= 2.11.0"; then gnutls_rnd="yes" @@ -2258,11 +2254,9 @@ if test "$gnutls" != "no"; then feature_not_found "gnutls" "Install gnutls devel" else gnutls="no" - gnutls_hash="no" gnutls_rnd="no" fi else - gnutls_hash="no" gnutls_rnd="no" fi @@ -4812,8 +4806,8 @@ echo "SDL support $sdl $(echo_version $sdl $sdlversion)" echo "GTK support $gtk $(echo_version $gtk $gtk_version)" echo "GTK GL support $gtk_gl" echo "VTE support $vte $(echo_version $vte $vteversion)" +echo "TLS priority $tls_priority" echo "GNUTLS support $gnutls" -echo "GNUTLS hash $gnutls_hash" echo "GNUTLS rnd $gnutls_rnd" echo "libgcrypt $gcrypt" echo "libgcrypt kdf $gcrypt_kdf" @@ -5176,12 +5170,10 @@ if test "$gtk" = "yes" ; then echo "CONFIG_GTK_GL=y" >> $config_host_mak fi fi +echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak if test "$gnutls" = "yes" ; then echo "CONFIG_GNUTLS=y" >> $config_host_mak fi -if test "$gnutls_hash" = "yes" ; then - echo "CONFIG_GNUTLS_HASH=y" >> $config_host_mak -fi if test "$gnutls_rnd" = "yes" ; then echo "CONFIG_GNUTLS_RND=y" >> $config_host_mak fi diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs index 0737f48118..1f86f4f07f 100644 --- a/crypto/Makefile.objs +++ b/crypto/Makefile.objs @@ -1,5 +1,7 @@ crypto-obj-y = init.o crypto-obj-y += hash.o +crypto-obj-$(CONFIG_NETTLE) += hash-nettle.o +crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += hash-gcrypt.o crypto-obj-y += aes.o crypto-obj-y += desrfb.o crypto-obj-y += cipher.o @@ -28,3 +30,4 @@ crypto-aes-obj-y = aes.o stub-obj-y += random-stub.o stub-obj-y += pbkdf-stub.o +stub-obj-y += hash-stub.o diff --git a/crypto/block-luks.c b/crypto/block-luks.c index 63649f1091..fcf3b040e4 100644 --- a/crypto/block-luks.c +++ b/crypto/block-luks.c @@ -776,6 +776,11 @@ qcrypto_block_luks_open(QCryptoBlock *block, } if (ivalg == QCRYPTO_IVGEN_ALG_ESSIV) { + if (!ivhash_name) { + ret = -EINVAL; + error_setg(errp, "Missing IV generator hash specification"); + goto fail; + } ivcipheralg = qcrypto_block_luks_essiv_cipher(cipheralg, ivhash, &local_err); @@ -785,6 +790,13 @@ qcrypto_block_luks_open(QCryptoBlock *block, goto fail; } } else { + /* Note we parsed the ivhash_name earlier in the cipher_mode + * spec string even with plain/plain64 ivgens, but we + * will ignore it, since it is irrelevant for these ivgens. + * This is for compat with dm-crypt which will silently + * ignore hash names with these ivgens rather than report + * an error about the invalid usage + */ ivcipheralg = cipheralg; } @@ -904,6 +916,15 @@ qcrypto_block_luks_create(QCryptoBlock *block, if (!luks_opts.has_hash_alg) { luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256; } + if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { + if (!luks_opts.has_ivgen_hash_alg) { + luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256; + luks_opts.has_ivgen_hash_alg = true; + } + } + /* Note we're allowing ivgen_hash_alg to be set even for + * non-essiv iv generators that don't need a hash. It will + * be silently ignored, for compatibility with dm-crypt */ if (!options->u.luks.key_secret) { error_setg(errp, "Parameter 'key-secret' is required for cipher"); diff --git a/crypto/hash-gcrypt.c b/crypto/hash-gcrypt.c new file mode 100644 index 0000000000..8ea5aff4ee --- /dev/null +++ b/crypto/hash-gcrypt.c @@ -0,0 +1,110 @@ +/* + * QEMU Crypto hash algorithms + * + * Copyright (c) 2016 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "qemu/osdep.h" +#include "qapi/error.h" +#include "crypto/hash.h" +#include "gcrypt.h" + + +static int qcrypto_hash_alg_map[QCRYPTO_HASH_ALG__MAX] = { + [QCRYPTO_HASH_ALG_MD5] = GCRY_MD_MD5, + [QCRYPTO_HASH_ALG_SHA1] = GCRY_MD_SHA1, + [QCRYPTO_HASH_ALG_SHA224] = GCRY_MD_SHA224, + [QCRYPTO_HASH_ALG_SHA256] = GCRY_MD_SHA256, + [QCRYPTO_HASH_ALG_SHA384] = GCRY_MD_SHA384, + [QCRYPTO_HASH_ALG_SHA512] = GCRY_MD_SHA512, + [QCRYPTO_HASH_ALG_RIPEMD160] = GCRY_MD_RMD160, +}; + +gboolean qcrypto_hash_supports(QCryptoHashAlgorithm alg) +{ + if (alg < G_N_ELEMENTS(qcrypto_hash_alg_map) && + qcrypto_hash_alg_map[alg] != GCRY_MD_NONE) { + return true; + } + return false; +} + + +int qcrypto_hash_bytesv(QCryptoHashAlgorithm alg, + const struct iovec *iov, + size_t niov, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + int i, ret; + gcry_md_hd_t md; + unsigned char *digest; + + if (alg >= G_N_ELEMENTS(qcrypto_hash_alg_map) || + qcrypto_hash_alg_map[alg] == GCRY_MD_NONE) { + error_setg(errp, + "Unknown hash algorithm %d", + alg); + return -1; + } + + ret = gcry_md_open(&md, qcrypto_hash_alg_map[alg], 0); + + if (ret < 0) { + error_setg(errp, + "Unable to initialize hash algorithm: %s", + gcry_strerror(ret)); + return -1; + } + + for (i = 0; i < niov; i++) { + gcry_md_write(md, iov[i].iov_base, iov[i].iov_len); + } + + ret = gcry_md_get_algo_dlen(qcrypto_hash_alg_map[alg]); + if (ret <= 0) { + error_setg(errp, + "Unable to get hash length: %s", + gcry_strerror(ret)); + goto error; + } + if (*resultlen == 0) { + *resultlen = ret; + *result = g_new0(uint8_t, *resultlen); + } else if (*resultlen != ret) { + error_setg(errp, + "Result buffer size %zu is smaller than hash %d", + *resultlen, ret); + goto error; + } + + digest = gcry_md_read(md, 0); + if (!digest) { + error_setg(errp, + "No digest produced"); + goto error; + } + memcpy(*result, digest, *resultlen); + + gcry_md_close(md); + return 0; + + error: + gcry_md_close(md); + return -1; +} diff --git a/crypto/hash-nettle.c b/crypto/hash-nettle.c new file mode 100644 index 0000000000..4c6f50b65d --- /dev/null +++ b/crypto/hash-nettle.c @@ -0,0 +1,155 @@ +/* + * QEMU Crypto hash algorithms + * + * Copyright (c) 2016 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "qemu/osdep.h" +#include "qapi/error.h" +#include "crypto/hash.h" +#include <nettle/md5.h> +#include <nettle/sha.h> +#include <nettle/ripemd160.h> + +typedef void (*qcrypto_nettle_init)(void *ctx); +typedef void (*qcrypto_nettle_write)(void *ctx, + unsigned int len, + const uint8_t *buf); +typedef void (*qcrypto_nettle_result)(void *ctx, + unsigned int len, + uint8_t *buf); + +union qcrypto_hash_ctx { + struct md5_ctx md5; + struct sha1_ctx sha1; + struct sha224_ctx sha224; + struct sha256_ctx sha256; + struct sha384_ctx sha384; + struct sha512_ctx sha512; + struct ripemd160_ctx ripemd160; +}; + +struct qcrypto_hash_alg { + qcrypto_nettle_init init; + qcrypto_nettle_write write; + qcrypto_nettle_result result; + size_t len; +} qcrypto_hash_alg_map[] = { + [QCRYPTO_HASH_ALG_MD5] = { + .init = (qcrypto_nettle_init)md5_init, + .write = (qcrypto_nettle_write)md5_update, + .result = (qcrypto_nettle_result)md5_digest, + .len = MD5_DIGEST_SIZE, + }, + [QCRYPTO_HASH_ALG_SHA1] = { + .init = (qcrypto_nettle_init)sha1_init, + .write = (qcrypto_nettle_write)sha1_update, + .result = (qcrypto_nettle_result)sha1_digest, + .len = SHA1_DIGEST_SIZE, + }, + [QCRYPTO_HASH_ALG_SHA224] = { + .init = (qcrypto_nettle_init)sha224_init, + .write = (qcrypto_nettle_write)sha224_update, + .result = (qcrypto_nettle_result)sha224_digest, + .len = SHA224_DIGEST_SIZE, + }, + [QCRYPTO_HASH_ALG_SHA256] = { + .init = (qcrypto_nettle_init)sha256_init, + .write = (qcrypto_nettle_write)sha256_update, + .result = (qcrypto_nettle_result)sha256_digest, + .len = SHA256_DIGEST_SIZE, + }, + [QCRYPTO_HASH_ALG_SHA384] = { + .init = (qcrypto_nettle_init)sha384_init, + .write = (qcrypto_nettle_write)sha384_update, + .result = (qcrypto_nettle_result)sha384_digest, + .len = SHA384_DIGEST_SIZE, + }, + [QCRYPTO_HASH_ALG_SHA512] = { + .init = (qcrypto_nettle_init)sha512_init, + .write = (qcrypto_nettle_write)sha512_update, + .result = (qcrypto_nettle_result)sha512_digest, + .len = SHA512_DIGEST_SIZE, + }, + [QCRYPTO_HASH_ALG_RIPEMD160] = { + .init = (qcrypto_nettle_init)ripemd160_init, + .write = (qcrypto_nettle_write)ripemd160_update, + .result = (qcrypto_nettle_result)ripemd160_digest, + .len = RIPEMD160_DIGEST_SIZE, + }, +}; + +gboolean qcrypto_hash_supports(QCryptoHashAlgorithm alg) +{ + if (alg < G_N_ELEMENTS(qcrypto_hash_alg_map) && + qcrypto_hash_alg_map[alg].init != NULL) { + return true; + } + return false; +} + + +int qcrypto_hash_bytesv(QCryptoHashAlgorithm alg, + const struct iovec *iov, + size_t niov, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + int i; + union qcrypto_hash_ctx ctx; + + if (alg >= G_N_ELEMENTS(qcrypto_hash_alg_map) || + qcrypto_hash_alg_map[alg].init == NULL) { + error_setg(errp, + "Unknown hash algorithm %d", + alg); + return -1; + } + + qcrypto_hash_alg_map[alg].init(&ctx); + + for (i = 0; i < niov; i++) { + /* Some versions of nettle have functions + * declared with 'int' instead of 'size_t' + * so to be safe avoid writing more than + * UINT_MAX bytes at a time + */ + size_t len = iov[i].iov_len; + uint8_t *base = iov[i].iov_base; + while (len) { + size_t shortlen = MIN(len, UINT_MAX); + qcrypto_hash_alg_map[alg].write(&ctx, len, base); + len -= shortlen; + base += len; + } + } + + if (*resultlen == 0) { + *resultlen = qcrypto_hash_alg_map[alg].len; + *result = g_new0(uint8_t, *resultlen); + } else if (*resultlen != qcrypto_hash_alg_map[alg].len) { + error_setg(errp, + "Result buffer size %zu is smaller than hash %zu", + *resultlen, qcrypto_hash_alg_map[alg].len); + return -1; + } + + qcrypto_hash_alg_map[alg].result(&ctx, *resultlen, *result); + + return 0; +} diff --git a/crypto/hash-stub.c b/crypto/hash-stub.c new file mode 100644 index 0000000000..8a9b8d4c09 --- /dev/null +++ b/crypto/hash-stub.c @@ -0,0 +1,41 @@ +/* + * QEMU Crypto hash algorithms + * + * Copyright (c) 2016 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "qemu/osdep.h" +#include "qapi/error.h" +#include "crypto/hash.h" + +gboolean qcrypto_hash_supports(QCryptoHashAlgorithm alg G_GNUC_UNUSED) +{ + return false; +} + +int qcrypto_hash_bytesv(QCryptoHashAlgorithm alg, + const struct iovec *iov G_GNUC_UNUSED, + size_t niov G_GNUC_UNUSED, + uint8_t **result G_GNUC_UNUSED, + size_t *resultlen G_GNUC_UNUSED, + Error **errp) +{ + error_setg(errp, + "Hash algorithm %d not supported without GNUTLS", + alg); + return -1; +} diff --git a/crypto/hash.c b/crypto/hash.c index 2907bffd2e..0f1ceac66a 100644 --- a/crypto/hash.c +++ b/crypto/hash.c @@ -22,16 +22,14 @@ #include "qapi/error.h" #include "crypto/hash.h" -#ifdef CONFIG_GNUTLS_HASH -#include <gnutls/gnutls.h> -#include <gnutls/crypto.h> -#endif - - static size_t qcrypto_hash_alg_size[QCRYPTO_HASH_ALG__MAX] = { [QCRYPTO_HASH_ALG_MD5] = 16, [QCRYPTO_HASH_ALG_SHA1] = 20, + [QCRYPTO_HASH_ALG_SHA224] = 28, [QCRYPTO_HASH_ALG_SHA256] = 32, + [QCRYPTO_HASH_ALG_SHA384] = 48, + [QCRYPTO_HASH_ALG_SHA512] = 64, + [QCRYPTO_HASH_ALG_RIPEMD160] = 20, }; size_t qcrypto_hash_digest_len(QCryptoHashAlgorithm alg) @@ -41,105 +39,6 @@ size_t qcrypto_hash_digest_len(QCryptoHashAlgorithm alg) } -#ifdef CONFIG_GNUTLS_HASH -static int qcrypto_hash_alg_map[QCRYPTO_HASH_ALG__MAX] = { - [QCRYPTO_HASH_ALG_MD5] = GNUTLS_DIG_MD5, - [QCRYPTO_HASH_ALG_SHA1] = GNUTLS_DIG_SHA1, - [QCRYPTO_HASH_ALG_SHA256] = GNUTLS_DIG_SHA256, -}; - -gboolean qcrypto_hash_supports(QCryptoHashAlgorithm alg) -{ - if (alg < G_N_ELEMENTS(qcrypto_hash_alg_map)) { - return true; - } - return false; -} - - -int qcrypto_hash_bytesv(QCryptoHashAlgorithm alg, - const struct iovec *iov, - size_t niov, - uint8_t **result, - size_t *resultlen, - Error **errp) -{ - int i, ret; - gnutls_hash_hd_t dig; - - if (alg >= G_N_ELEMENTS(qcrypto_hash_alg_map)) { - error_setg(errp, - "Unknown hash algorithm %d", - alg); - return -1; - } - - ret = gnutls_hash_init(&dig, qcrypto_hash_alg_map[alg]); - - if (ret < 0) { - error_setg(errp, - "Unable to initialize hash algorithm: %s", - gnutls_strerror(ret)); - return -1; - } - - for (i = 0; i < niov; i++) { - ret = gnutls_hash(dig, iov[i].iov_base, iov[i].iov_len); - if (ret < 0) { - error_setg(errp, - "Unable process hash data: %s", - gnutls_strerror(ret)); - goto error; - } - } - - ret = gnutls_hash_get_len(qcrypto_hash_alg_map[alg]); - if (ret <= 0) { - error_setg(errp, - "Unable to get hash length: %s", - gnutls_strerror(ret)); - goto error; - } - if (*resultlen == 0) { - *resultlen = ret; - *result = g_new0(uint8_t, *resultlen); - } else if (*resultlen != ret) { - error_setg(errp, - "Result buffer size %zu is smaller than hash %d", - *resultlen, ret); - goto error; - } - - gnutls_hash_deinit(dig, *result); - return 0; - - error: - gnutls_hash_deinit(dig, NULL); - return -1; -} - -#else /* ! CONFIG_GNUTLS_HASH */ - -gboolean qcrypto_hash_supports(QCryptoHashAlgorithm alg G_GNUC_UNUSED) -{ - return false; -} - -int qcrypto_hash_bytesv(QCryptoHashAlgorithm alg, - const struct iovec *iov G_GNUC_UNUSED, - size_t niov G_GNUC_UNUSED, - uint8_t **result G_GNUC_UNUSED, - size_t *resultlen G_GNUC_UNUSED, - Error **errp) -{ - error_setg(errp, - "Hash algorithm %d not supported without GNUTLS", - alg); - return -1; -} - -#endif /* ! CONFIG_GNUTLS_HASH */ - int qcrypto_hash_bytes(QCryptoHashAlgorithm alg, const char *buf, size_t len, diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c index 1620e126ae..a8965531b6 100644 --- a/crypto/tlscreds.c +++ b/crypto/tlscreds.c @@ -179,6 +179,27 @@ qcrypto_tls_creds_prop_get_dir(Object *obj, static void +qcrypto_tls_creds_prop_set_priority(Object *obj, + const char *value, + Error **errp G_GNUC_UNUSED) +{ + QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj); + + creds->priority = g_strdup(value); +} + + +static char * +qcrypto_tls_creds_prop_get_priority(Object *obj, + Error **errp G_GNUC_UNUSED) +{ + QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj); + + return g_strdup(creds->priority); +} + + +static void qcrypto_tls_creds_prop_set_endpoint(Object *obj, int value, Error **errp G_GNUC_UNUSED) @@ -216,6 +237,10 @@ qcrypto_tls_creds_class_init(ObjectClass *oc, void *data) qcrypto_tls_creds_prop_get_endpoint, qcrypto_tls_creds_prop_set_endpoint, NULL); + object_class_property_add_str(oc, "priority", + qcrypto_tls_creds_prop_get_priority, + qcrypto_tls_creds_prop_set_priority, + NULL); } @@ -234,6 +259,7 @@ qcrypto_tls_creds_finalize(Object *obj) QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj); g_free(creds->dir); + g_free(creds->priority); } diff --git a/crypto/tlssession.c b/crypto/tlssession.c index a543e5a576..2de42c61cb 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -132,14 +132,22 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds, if (object_dynamic_cast(OBJECT(creds), TYPE_QCRYPTO_TLS_CREDS_ANON)) { QCryptoTLSCredsAnon *acreds = QCRYPTO_TLS_CREDS_ANON(creds); + char *prio; - ret = gnutls_priority_set_direct(session->handle, - "NORMAL:+ANON-DH", NULL); + if (creds->priority != NULL) { + prio = g_strdup_printf("%s:+ANON-DH", creds->priority); + } else { + prio = g_strdup(CONFIG_TLS_PRIORITY ":+ANON-DH"); + } + + ret = gnutls_priority_set_direct(session->handle, prio, NULL); if (ret < 0) { - error_setg(errp, "Unable to set TLS session priority: %s", - gnutls_strerror(ret)); + error_setg(errp, "Unable to set TLS session priority %s: %s", + prio, gnutls_strerror(ret)); + g_free(prio); goto error; } + g_free(prio); if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { ret = gnutls_credentials_set(session->handle, GNUTLS_CRD_ANON, @@ -157,11 +165,15 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds, } else if (object_dynamic_cast(OBJECT(creds), TYPE_QCRYPTO_TLS_CREDS_X509)) { QCryptoTLSCredsX509 *tcreds = QCRYPTO_TLS_CREDS_X509(creds); + const char *prio = creds->priority; + if (!prio) { + prio = CONFIG_TLS_PRIORITY; + } - ret = gnutls_set_default_priority(session->handle); + ret = gnutls_priority_set_direct(session->handle, prio, NULL); if (ret < 0) { - error_setg(errp, "Cannot set default TLS session priority: %s", - gnutls_strerror(ret)); + error_setg(errp, "Cannot set default TLS session priority %s: %s", + prio, gnutls_strerror(ret)); goto error; } ret = gnutls_credentials_set(session->handle, diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h index 8e2babd533..59e91875c1 100644 --- a/include/crypto/tlscreds.h +++ b/include/crypto/tlscreds.h @@ -54,6 +54,7 @@ struct QCryptoTLSCreds { gnutls_dh_params_t dh_params; #endif bool verifyPeer; + char *priority; }; diff --git a/qapi/crypto.json b/qapi/crypto.json index 760d0c0577..4c4a3e07f4 100644 --- a/qapi/crypto.json +++ b/qapi/crypto.json @@ -42,12 +42,16 @@ # # @md5: MD5. Should not be used in any new code, legacy compat only # @sha1: SHA-1. Should not be used in any new code, legacy compat only +# @sha224: SHA-224. (since 2.7) # @sha256: SHA-256. Current recommended strong hash. +# @sha384: SHA-384. (since 2.7) +# @sha512: SHA-512. (since 2.7) +# @ripemd160: RIPEMD-160. (since 2.7) # Since: 2.6 ## { 'enum': 'QCryptoHashAlgorithm', 'prefix': 'QCRYPTO_HASH_ALG', - 'data': ['md5', 'sha1', 'sha256']} + 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']} ## diff --git a/tests/Makefile.include b/tests/Makefile.include index 6c09962f75..f8e3c6b35a 100644 --- a/tests/Makefile.include +++ b/tests/Makefile.include @@ -86,7 +86,7 @@ check-unit-y += tests/test-qemu-opts$(EXESUF) gcov-files-test-qemu-opts-y = qom/test-qemu-opts.c check-unit-y += tests/test-write-threshold$(EXESUF) gcov-files-test-write-threshold-y = block/write-threshold.c -check-unit-$(CONFIG_GNUTLS_HASH) += tests/test-crypto-hash$(EXESUF) +check-unit-y += tests/test-crypto-hash$(EXESUF) check-unit-y += tests/test-crypto-cipher$(EXESUF) check-unit-y += tests/test-crypto-secret$(EXESUF) check-unit-$(CONFIG_GNUTLS) += tests/test-crypto-tlscredsx509$(EXESUF) diff --git a/tests/qemu-iotests/149 b/tests/qemu-iotests/149 index 52e23d2946..84072513db 100755 --- a/tests/qemu-iotests/149 +++ b/tests/qemu-iotests/149 @@ -153,6 +153,8 @@ def cryptsetup_format(config): cipher = config.cipher + "-" + config.mode + "-" + config.ivgen if config.ivgen_hash is not None: cipher = cipher + ":" + config.ivgen_hash + elif config.ivgen == "essiv": + cipher = cipher + ":" + "sha256" args.extend(["--cipher", cipher]) if config.mode == "xts": args.extend(["--key-size", str(config.keylen * 2)]) @@ -479,6 +481,16 @@ configs = [ "6": "slot6", "7": "slot7", }), + + # Check handling of default hash alg (sha256) with essiv + LUKSConfig("aes-256-cbc-essiv-auto-sha1", + "aes", 256, "cbc", "essiv", None, "sha1"), + + # Check that a useless hash provided for 'plain64' iv gen + # is ignored and no error raised + LUKSConfig("aes-256-cbc-plain64-sha256-sha1", + "aes", 256, "cbc", "plain64", "sha256", "sha1"), + ] blacklist = [ diff --git a/tests/qemu-iotests/149.out b/tests/qemu-iotests/149.out index 287f013012..90b5b55efb 100644 --- a/tests/qemu-iotests/149.out +++ b/tests/qemu-iotests/149.out @@ -1878,3 +1878,243 @@ sudo cryptsetup -q -v luksClose qiotest-145-aes-256-xts-plain-sha1-pwallslots # Delete image unlink TEST_DIR/luks-aes-256-xts-plain-sha1-pwallslots.img +# ================= dm-crypt aes-256-cbc-essiv-auto-sha1 ================= +# Create image +truncate TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img --size 4194304MB +# Format image +sudo cryptsetup -q -v luksFormat --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha1 --key-slot 0 --key-file - TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img +# Open dev +sudo cryptsetup -q -v luksOpen TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Set dev owner +sudo chown UID:GID /dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Write test pattern 0xa7 +qemu-io -c write -P 0xa7 100M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +wrote 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x13 +qemu-io -c write -P 0x13 3145728M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +wrote 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Close dev +sudo cryptsetup -q -v luksClose qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Read test pattern 0xa7 +qemu-io -c read -P 0xa7 100M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img +read 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Read test pattern 0x13 +qemu-io -c read -P 0x13 3145728M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img +read 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x91 +qemu-io -c write -P 0x91 100M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img +wrote 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x5e +qemu-io -c write -P 0x5e 3145728M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img +wrote 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Open dev +sudo cryptsetup -q -v luksOpen TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Set dev owner +sudo chown UID:GID /dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Read test pattern 0x91 +qemu-io -c read -P 0x91 100M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +read 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Read test pattern 0x5e +qemu-io -c read -P 0x5e 3145728M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +read 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Close dev +sudo cryptsetup -q -v luksClose qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Delete image +unlink TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img + +# ================= qemu-img aes-256-cbc-essiv-auto-sha1 ================= +# Create image +qemu-img create -f luks --object secret,id=sec0,data=MTIzNDU2,format=base64 -o key-secret=sec0,cipher-alg=aes-256,cipher-mode=cbc,ivgen-alg=essiv,hash-alg=sha1 TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img 4194304M +Formatting 'TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img', fmt=luks size=4398046511104 key-secret=sec0 cipher-alg=aes-256 cipher-mode=cbc ivgen-alg=essiv hash-alg=sha1 + +# Open dev +sudo cryptsetup -q -v luksOpen TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Set dev owner +sudo chown UID:GID /dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Write test pattern 0xa7 +qemu-io -c write -P 0xa7 100M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +wrote 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x13 +qemu-io -c write -P 0x13 3145728M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +wrote 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Close dev +sudo cryptsetup -q -v luksClose qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Read test pattern 0xa7 +qemu-io -c read -P 0xa7 100M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img +read 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Read test pattern 0x13 +qemu-io -c read -P 0x13 3145728M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img +read 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x91 +qemu-io -c write -P 0x91 100M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img +wrote 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x5e +qemu-io -c write -P 0x5e 3145728M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img +wrote 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Open dev +sudo cryptsetup -q -v luksOpen TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Set dev owner +sudo chown UID:GID /dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Read test pattern 0x91 +qemu-io -c read -P 0x91 100M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +read 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Read test pattern 0x5e +qemu-io -c read -P 0x5e 3145728M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-essiv-auto-sha1 +read 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Close dev +sudo cryptsetup -q -v luksClose qiotest-145-aes-256-cbc-essiv-auto-sha1 +# Delete image +unlink TEST_DIR/luks-aes-256-cbc-essiv-auto-sha1.img + +# ================= dm-crypt aes-256-cbc-plain64-sha256-sha1 ================= +# Create image +truncate TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img --size 4194304MB +# Format image +sudo cryptsetup -q -v luksFormat --cipher aes-cbc-plain64:sha256 --key-size 256 --hash sha1 --key-slot 0 --key-file - TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img +# Open dev +sudo cryptsetup -q -v luksOpen TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Set dev owner +sudo chown UID:GID /dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Write test pattern 0xa7 +qemu-io -c write -P 0xa7 100M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +wrote 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x13 +qemu-io -c write -P 0x13 3145728M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +wrote 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Close dev +sudo cryptsetup -q -v luksClose qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Read test pattern 0xa7 +qemu-io -c read -P 0xa7 100M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img +read 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Read test pattern 0x13 +qemu-io -c read -P 0x13 3145728M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img +read 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x91 +qemu-io -c write -P 0x91 100M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img +wrote 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x5e +qemu-io -c write -P 0x5e 3145728M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img +wrote 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Open dev +sudo cryptsetup -q -v luksOpen TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Set dev owner +sudo chown UID:GID /dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Read test pattern 0x91 +qemu-io -c read -P 0x91 100M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +read 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Read test pattern 0x5e +qemu-io -c read -P 0x5e 3145728M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +read 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Close dev +sudo cryptsetup -q -v luksClose qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Delete image +unlink TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img + +# ================= qemu-img aes-256-cbc-plain64-sha256-sha1 ================= +# Create image +qemu-img create -f luks --object secret,id=sec0,data=MTIzNDU2,format=base64 -o key-secret=sec0,cipher-alg=aes-256,cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha1,ivgen-hash-alg=sha256 TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img 4194304M +Formatting 'TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img', fmt=luks size=4398046511104 key-secret=sec0 cipher-alg=aes-256 cipher-mode=cbc ivgen-alg=plain64 ivgen-hash-alg=sha256 hash-alg=sha1 + +# Open dev +sudo cryptsetup -q -v luksOpen TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Set dev owner +sudo chown UID:GID /dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Write test pattern 0xa7 +qemu-io -c write -P 0xa7 100M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +wrote 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x13 +qemu-io -c write -P 0x13 3145728M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +wrote 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Close dev +sudo cryptsetup -q -v luksClose qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Read test pattern 0xa7 +qemu-io -c read -P 0xa7 100M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img +read 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Read test pattern 0x13 +qemu-io -c read -P 0x13 3145728M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img +read 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x91 +qemu-io -c write -P 0x91 100M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img +wrote 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Write test pattern 0x5e +qemu-io -c write -P 0x5e 3145728M 10M --object secret,id=sec0,data=MTIzNDU2,format=base64 --image-opts driver=luks,key-secret=sec0,file.filename=TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img +wrote 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Open dev +sudo cryptsetup -q -v luksOpen TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Set dev owner +sudo chown UID:GID /dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Read test pattern 0x91 +qemu-io -c read -P 0x91 100M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +read 10485760/10485760 bytes at offset 104857600 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Read test pattern 0x5e +qemu-io -c read -P 0x5e 3145728M 10M --image-opts driver=file,filename=/dev/mapper/qiotest-145-aes-256-cbc-plain64-sha256-sha1 +read 10485760/10485760 bytes at offset 3298534883328 +10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +# Close dev +sudo cryptsetup -q -v luksClose qiotest-145-aes-256-cbc-plain64-sha256-sha1 +# Delete image +unlink TEST_DIR/luks-aes-256-cbc-plain64-sha256-sha1.img + diff --git a/tests/test-crypto-hash.c b/tests/test-crypto-hash.c index 6e0e89f7d6..42fc77a107 100644 --- a/tests/test-crypto-hash.c +++ b/tests/test-crypto-hash.c @@ -30,27 +30,56 @@ #define OUTPUT_MD5 "628d206371563035ab8ef62f492bdec9" #define OUTPUT_SHA1 "b2e74f26758a3a421e509cee045244b78753cc02" +#define OUTPUT_SHA224 "e2f7415aad33ef79f6516b0986d7175f" \ + "9ca3389a85bf6cfed078737b" #define OUTPUT_SHA256 "bc757abb0436586f392b437e5dd24096" \ "f7f224de6b74d4d86e2abc6121b160d0" +#define OUTPUT_SHA384 "887ce52efb4f46700376356583b7e279" \ + "4f612bd024e4495087ddb946c448c69d" \ + "56dbf7152a94a5e63a80f3ba9f0eed78" +#define OUTPUT_SHA512 "3a90d79638235ec6c4c11bebd84d83c0" \ + "549bc1e84edc4b6ec7086487641256cb" \ + "63b54e4cb2d2032b393994aa263c0dbb" \ + "e00a9f2fe9ef6037352232a1eec55ee7" +#define OUTPUT_RIPEMD160 "f3d658fad3fdfb2b52c9369cf0d441249ddfa8a0" #define OUTPUT_MD5_B64 "Yo0gY3FWMDWrjvYvSSveyQ==" #define OUTPUT_SHA1_B64 "sudPJnWKOkIeUJzuBFJEt4dTzAI=" +#define OUTPUT_SHA224_B64 "4vdBWq0z73n2UWsJhtcXX5yjOJqFv2z+0Hhzew==" #define OUTPUT_SHA256_B64 "vHV6uwQ2WG85K0N+XdJAlvfyJN5rdNTYbiq8YSGxYNA=" +#define OUTPUT_SHA384_B64 "iHzlLvtPRnADdjVlg7fieU9hK9Ak5ElQh925RsRI" \ + "xp1W2/cVKpSl5jqA87qfDu14" +#define OUTPUT_SHA512_B64 "OpDXljgjXsbEwRvr2E2DwFSbwehO3Etuxwhkh2QS" \ + "VstjtU5MstIDKzk5lKomPA274AqfL+nvYDc1IjKh" \ + "7sVe5w==" +#define OUTPUT_RIPEMD160_B64 "89ZY+tP9+ytSyTac8NRBJJ3fqKA=" static const char *expected_outputs[] = { [QCRYPTO_HASH_ALG_MD5] = OUTPUT_MD5, [QCRYPTO_HASH_ALG_SHA1] = OUTPUT_SHA1, + [QCRYPTO_HASH_ALG_SHA224] = OUTPUT_SHA224, [QCRYPTO_HASH_ALG_SHA256] = OUTPUT_SHA256, + [QCRYPTO_HASH_ALG_SHA384] = OUTPUT_SHA384, + [QCRYPTO_HASH_ALG_SHA512] = OUTPUT_SHA512, + [QCRYPTO_HASH_ALG_RIPEMD160] = OUTPUT_RIPEMD160, }; static const char *expected_outputs_b64[] = { [QCRYPTO_HASH_ALG_MD5] = OUTPUT_MD5_B64, [QCRYPTO_HASH_ALG_SHA1] = OUTPUT_SHA1_B64, + [QCRYPTO_HASH_ALG_SHA224] = OUTPUT_SHA224_B64, [QCRYPTO_HASH_ALG_SHA256] = OUTPUT_SHA256_B64, + [QCRYPTO_HASH_ALG_SHA384] = OUTPUT_SHA384_B64, + [QCRYPTO_HASH_ALG_SHA512] = OUTPUT_SHA512_B64, + [QCRYPTO_HASH_ALG_RIPEMD160] = OUTPUT_RIPEMD160_B64, }; static const int expected_lens[] = { [QCRYPTO_HASH_ALG_MD5] = 16, [QCRYPTO_HASH_ALG_SHA1] = 20, + [QCRYPTO_HASH_ALG_SHA224] = 28, [QCRYPTO_HASH_ALG_SHA256] = 32, + [QCRYPTO_HASH_ALG_SHA384] = 48, + [QCRYPTO_HASH_ALG_SHA512] = 64, + [QCRYPTO_HASH_ALG_RIPEMD160] = 20, }; static const char hex[] = "0123456789abcdef"; @@ -68,6 +97,10 @@ static void test_hash_alloc(void) int ret; size_t j; + if (!qcrypto_hash_supports(i)) { + continue; + } + ret = qcrypto_hash_bytes(i, INPUT_TEXT, strlen(INPUT_TEXT), @@ -98,6 +131,10 @@ static void test_hash_prealloc(void) int ret; size_t j; + if (!qcrypto_hash_supports(i)) { + continue; + } + resultlen = expected_lens[i]; result = g_new0(uint8_t, resultlen); @@ -137,6 +174,10 @@ static void test_hash_iov(void) int ret; size_t j; + if (!qcrypto_hash_supports(i)) { + continue; + } + ret = qcrypto_hash_bytesv(i, iov, 3, &result, @@ -165,6 +206,10 @@ static void test_hash_digest(void) char *digest; size_t digestsize; + if (!qcrypto_hash_supports(i)) { + continue; + } + digestsize = qcrypto_hash_digest_len(i); g_assert_cmpint(digestsize * 2, ==, strlen(expected_outputs[i])); @@ -175,7 +220,7 @@ static void test_hash_digest(void) &digest, NULL); g_assert(ret == 0); - g_assert(g_str_equal(digest, expected_outputs[i])); + g_assert_cmpstr(digest, ==, expected_outputs[i]); g_free(digest); } } @@ -191,13 +236,17 @@ static void test_hash_base64(void) int ret; char *digest; + if (!qcrypto_hash_supports(i)) { + continue; + } + ret = qcrypto_hash_base64(i, INPUT_TEXT, strlen(INPUT_TEXT), &digest, NULL); g_assert(ret == 0); - g_assert(g_str_equal(digest, expected_outputs_b64[i])); + g_assert_cmpstr(digest, ==, expected_outputs_b64[i]); g_free(digest); } } diff --git a/tests/test-crypto-xts.c b/tests/test-crypto-xts.c index 7f68b063cd..1f1412c45a 100644 --- a/tests/test-crypto-xts.c +++ b/tests/test-crypto-xts.c @@ -340,7 +340,7 @@ static void test_xts_aes_decrypt(const void *ctx, static void test_xts(const void *opaque) { const QCryptoXTSTestData *data = opaque; - unsigned char OUT[512], Torg[16], T[16]; + unsigned char out[512], Torg[16], T[16]; uint64_t seq; int j; unsigned long len; @@ -371,38 +371,38 @@ static void test_xts(const void *opaque) xts_encrypt(&aesdata, &aestweak, test_xts_aes_encrypt, test_xts_aes_decrypt, - T, data->PTLEN, OUT, data->PTX); + T, data->PTLEN, out, data->PTX); } else { xts_encrypt(&aesdata, &aestweak, test_xts_aes_encrypt, test_xts_aes_decrypt, - T, len, OUT, data->PTX); + T, len, out, data->PTX); xts_encrypt(&aesdata, &aestweak, test_xts_aes_encrypt, test_xts_aes_decrypt, - T, len, &OUT[len], &data->PTX[len]); + T, len, &out[len], &data->PTX[len]); } - g_assert(memcmp(OUT, data->CTX, data->PTLEN) == 0); + g_assert(memcmp(out, data->CTX, data->PTLEN) == 0); memcpy(T, Torg, sizeof(T)); if (j == 0) { xts_decrypt(&aesdata, &aestweak, test_xts_aes_encrypt, test_xts_aes_decrypt, - T, data->PTLEN, OUT, data->CTX); + T, data->PTLEN, out, data->CTX); } else { xts_decrypt(&aesdata, &aestweak, test_xts_aes_encrypt, test_xts_aes_decrypt, - T, len, OUT, data->CTX); + T, len, out, data->CTX); xts_decrypt(&aesdata, &aestweak, test_xts_aes_encrypt, test_xts_aes_decrypt, - T, len, &OUT[len], &data->CTX[len]); + T, len, &out[len], &data->CTX[len]); } - g_assert(memcmp(OUT, data->PTX, data->PTLEN) == 0); + g_assert(memcmp(out, data->PTX, data->PTLEN) == 0); } } |